‘Treat all employees as a threat and all data as insecure’ ~ why there needs to be a fine line between pragmatism and paranoia ~ by Chris Mayers, Chief security architect at Citrix.
As sensitive data is exposed again and again through accidental loss or intentional theft, oganisations are failing to learn from others’ mistakes. Many times, the problem seems to be caused by employees and other users who, intentionally or not, are leaving the ‘door’ to their corporate network wide open.
It is clear that a wholesale change in the fundamental approach to security is required if businesses are ever to reduce the risk presented by end users. And the first step in making this happen is to assume all end users present significant risk.
This isn’t to suggest all – or even any – employees are criminally motivated. Rather, it acknowledges human error is consistently the weakest link in the chain. In the instance of the HMRC data loss, where 26 million personal records were lost, the responsible way to handle all that sensitive data would have been to assume any employee or supplier, irrespective of intention or motive, is capable of losing, misplacing or misdirecting a CD. Yet data was written to CDs and passed from office to office by courier. There are so many weak links in that chain it probably doesn’t even qualify as a chain any more.
Employee security lapses happen for many reasons. Sometimes, it’s just more convenient to ignore security to get a job done. Often, the security needs of the data in question are not well understood. Occasionally, malicious intent enters the picture. And finally, people make mistakes.
The advance of technology has not made life any easier for the IT security professional. Think about where we personally maintain data – printed or electronic copies in our office, in our cars, in our homes, on our mobile devices. How easy is it for a company to rein all of this in?
People increasingly expect to be able to use mobile devices like smart phones or the BlackBerry and if the company won’t give it to them, they buy these convenience devices anyway. The risks are obvious: all of the user’s email and associated documents are on a mobile device that could be easily stolen, leaving open access to items that you would have had to infiltrate a company to get a few years ago.
Let’s be clear: users are not doing this because they’re malicious – they’re doing it because they crave the additional functionality, or they need to be connected at all times in this highly competitive world. Often, people are doing it to meet their lifestyle. They’re being asked to do all kinds of things outside work today. Let’s say they’ve committed to their boss or to a customer to get a particular task done. They save their data to a SD card, a USB stick or a mobile device. They don’t do it, saying: ‘I am going to take this information and put it at risk and put it in an unsecured location’. They do it because they genuinely believe they’re trying to get something done and help the organisation.
And sometimes this flexibility will open the company up to targeted attacks. Increasingly hackers exploit the open wireless networks used by employees working from home or from public access points as a route to corporate applications and data. Industry analyst Gartner predicts that over the next year, the financial damage experienced by business because of targeted attacks will increase at least five times faster than damage caused by mass events. So what can be done? Unfortunately it is beyond the scope of most organisations to secure the wireless networks prevalent in every home, airport, hotel or Internet café.
In the past, the tendency with security has been to lock it down. And that’s a big problem because 100 per cent secure is 100 per cent unusable. The end user just sees security as something that slows them down and gets in their way. Organisations have to be able to find a way to provide security for these types of situations but make it a benefit to the user. Security must be addressed across the application delivery infrastructure.
Instead of telling users that they can’t use a mobile device any more, or can’t connect to corporate resources, what if there was a way that the organisation can manage that data regardless of whether the device was purchased by the company or purchased by the end user? And as an extra benefit, wouldn’t it be great if the end user could go out and buy any type of device and ensure secure access to applications? You don’t have to reinstall and translate and everything else. What if you had a corporate-ready view on this phone?
That technology is available today. Organisations can give end users the applications they need on any type of device regardless of where they are. Virtualisation means users wanting to take information home and work on it, they can do so without that data ever leaving the corporate network. You can have different configurations that the IT department defines, and it allocates resources according to a category of users, whether they’re accessing HR applications or they’re high-end developers. Users can have consistent authentication, access, and logging, so the company is covered for litigation support, assurance and compliance.
The weakest link in the chain is the one that causes all the problems. We can’t allow that to happen to IT security at the intervals seen in the past, because the penalties are extremely severe. But we mustn’t be panicked by shocking headlines. Businesses need flexibility and employees need access to applications delivered securely. Indeed, recent research from the Economist Intelligence Unit shows that 83 per cent of workers believe an ability to work remotely provides an organisation with competitive edge.
We simply need to mitigate the risks that could most impact business objectives. Taking an ‘inside out’ approach that focuses on the secure delivery of applications and, using virtualisation methods will ensure that employees can access the information they need, wherever they are, without it ever needing to leave the secure confines of the datacentre. The notion of a lost laptop will no longer strike fear into the heart of IT directors and business leaders, as the device itself becomes simply a piece of hardware, instead of the carrier of all your corporate secrets.
About Citrix Systems (UK) Ltd
It is exhibiting at Infosecurity Europe 2009, Information security event. Now in its 14th year, the show has 300 exhibitors and 12,000 visitors, on April 28 to 30, 2009 in Earls Court, London.
